#!/bin/bash

export LEAK_DETECTIVE_DISABLE=1

ROOT="/var/www"

##
# strongSwan Root CA
cd /etc/ca

# copy default web page
cp index.html ${ROOT}

# copy strongsSwan CA certificate
cp strongswanCert.pem ${ROOT}
cp strongswanCert.der ${ROOT}

# generate CRL for strongSwan Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    --lastcrl strongswan.crl > ${ROOT}/strongswan.crl

# revoke moon's current certificate
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    --reason key-compromise --serial 03 \
    --lastcrl ${ROOT}/strongswan.crl > ${ROOT}/strongswan_moon_revoked.crl

# generate a base CRL
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    --crluri http://crl.strongswan.org/strongswan_delta.crl \
    --lastcrl strongswan.crl --lifetime 30 > ${ROOT}/strongswan_base.crl

# generate a delta CRL revoking moon's current cert
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    --basecrl ${ROOT}/strongswan_base.crl --reason key-compromise \
    --serial 03 --lifetime 15 > ${ROOT}/strongswan_delta.crl

# generate Hash-and-URL certificates
CERTS_DIR="${ROOT}/certs"
for cert in `ls certs`
do
  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
done

##
# Research CA
cd /etc/ca/research

# copy Research CA certificate
cp researchCert.pem ${ROOT}
cp researchCert.der ${ROOT}

# generate CRL for Research CA
pki --signcrl --cakey researchKey.pem --cacert researchCert.pem \
    > ${ROOT}/research.crl

# generate Hash-and-URL certificates
CERTS_DIR="${ROOT}/certs/research"
for cert in `ls certs`
do
  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
done

##
# Sales CA
cd /etc/ca/sales

# copy Sales CA certificate
cp salesCert.pem ${ROOT}
cp salesCert.der ${ROOT}

# generate CRL for Sales CA
pki --signcrl --cakey salesKey.pem --cacert salesCert.pem \
    > ${ROOT}/sales.crl

# generate Hash-and-URL certificates
CERTS_DIR="${ROOT}/certs/sales"
for cert in `ls certs`
do
  openssl x509 -in certs/${cert} -outform der -out ${CERTS_DIR}/cert.der
  mv ${CERTS_DIR}/cert.der ${CERTS_DIR}/`sha1sum ${CERTS_DIR}/cert.der | head -c 40`
done

##
# strongSwan EC Root CA
cd /etc/ca/ecdsa

# copy ECDSA CA certificate
cp strongswanCert.pem ${ROOT}/strongswan_ecdsaCert.pem
openssl ec -in strongswanKey.pem -outform der -out ${ROOT}/strongswan_ecdsaCert.der
chmod a+r ${ROOT}/strongswan_ecdsaCert.der

# generate CRL for strongSwan EC Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    > ${ROOT}/strongswan_ecdsa.crl

##
# strongSwan RFC3779 Root CA
cd /etc/ca/rfc3779

# generate CRL for strongSwan RFC3779 Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    > ${ROOT}/strongswan_rfc3779.crl

##
# strongSwan SHA3-RSA Root CA
cd /etc/ca/sha3-rsa

# generate CRL for strongSwan SHA3-RSA Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    --digest sha3_256 > ${ROOT}/strongswan_sha3_rsa.crl

##
# strongSwan Ed25519 Root CA
cd /etc/ca/ed25519

# generate CRL for strongSwan Ed25519 Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    > ${ROOT}/strongswan_ed25519.crl

##
# strongSwan Monster Root CA
cd /etc/ca/monster

# generate CRL for strongSwan Monster Root CA
pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \
    > ${ROOT}/strongswan_monster.crl

##
# strongSwan BlISS Root CA
cd /etc/ca/bliss

# generate CRL for strongSwan BLISS Root CA
pki --signcrl --cakey strongswan_blissKey.der --cacert strongswan_blissCert.der \
    --lifetime 30 --digest sha3_512 > ${ROOT}/strongswan_bliss.crl
